Hi Ashwin,
On Thu, 21 May 2026 at 21:31, Aswin Murugan <[email protected]> wrote: > > Hi Ilias > > On 5/18/2026 2:07 PM, Ilias Apalodimas wrote: > > On Fri, 15 May 2026 at 16:17, Aswin Murugan > > <[email protected]> wrote: > >> Hi Ilias, > >> > >> This change has been verified locally with our setups on qcs615 & > >> QCS9100 SOCs > > Ok I am getting the same error here. How did you produce the final binary? > > > > The only test I am doing here is enable secure boot and variable > > preseed. The generate the preseed with > > > > ./tools/efivar.py set -i ubootefi.var -n pk -d PK.esl -t file > > ./tools/efivar.py set -i ubootefi.var -n kek -d KEK.esl -t file > > ./tools/efivar.py set -i ubootefi.var -n db -d db.esl -t file > > ./tools/efivar.py set -i ubootefi.var -n dbx -d dbx.esl -t file > > Similar steps are followed but instead of .esl we pass .auth file to > efivar tool and sign the kernel using sbsign What's in the auth file? A certificate? You are not supposed to pass the .auth file iirc. We expect to have an ESL in there. The documentation is unfortunately missing but there's a pointer in commit 73253d7765c In any case, we should look into why using the auth file works, but it doesn't sound correct Thanks /Ilias > > tools/efivar.py set --infile ubootefi.var --name PK --attrs nv,bs,rt,at > --type file --data PK.auth > > tools/efivar.py set --infile ubootefi.var --name KEK --attrs nv,bs,rt,at > --type file --data KEK.auth > > tools/efivar.py set --infile ubootefi.var --name db --attrs nv,bs,rt,at > --type file --data db.auth > > tools/efivar.py set --infile ubootefi.var --name dbx --attrs nv,bs,rt,at > --type file --data dbx.auth > > *sign the images to be verified * > > sbsign --key db.key --cert db.crt bootaa64.efi --output bootaa64.efi > > sbsign --key db.key --cert db.crt linux-iq-9075-evk.efi --output > linux-iq-9075-evk.efi > > Regards, > Aswin M > > > > > Thanks > > /Ilias > >> Regards, > >> Aswin > >> > >> On 5/15/2026 4:02 PM, Ilias Apalodimas wrote: > >>> Hi Ashwin, > >>> > >>> On Thu, 14 May 2026 at 20:17, Aswin Murugan > >>> <[email protected]> wrote: > >>>> efivar.py currently stores authenticated variables including the > >>>> EFI_VARIABLE_AUTHENTICATION_2 descriptor (timestamp + WIN_CERTIFICATE) > >>>> along with the payload. > >>>> > >>>> When variables are set via U-Boot, SetVariable() validates and strips > >>>> this authentication descriptor before persisting the variable data, > >>>> resulting in only the payload being stored and returned by GetVariable(). > >>>> > >>>> This mismatch causes efivar.py-generated stores to differ from U-Boot > >>>> runtime behavior and leads to incorrect GetVariable() results. > >>>> > >>>> Update efivar.py to strip the authentication descriptor and store only > >>>> the payload for authenticated variables, ensuring consistency with > >>>> U-Boot behavior and compliance with UEFI expectations. > >>> The approach is fine, but when I use the tool now to create signatures > >>> and enable secure boot I am getting > >>> => bootefi bootmgr > >>> Getting signature database(db) failed" > >>> > >>> Have you tried a built that worked locally? > >>> > >>> Thanks > >>> /Ilias > >>>> Signed-off-by: Aswin Murugan <[email protected]> > >>>> --- > >>>> Changes in v3: > >>>> - Previously stripped the authentication descriptor at GetVariable(), > >>>> now moved to strip it in efivar.py during variable pre-seeding/set. > >>>> Link to v2: > >>>> https://lore.kernel.org/u-boot/[email protected]/ > >>>> > >>>> Changes in v2: > >>>> - Enhanced commit message with explicit UEFI spec reference > >>>> Link to v1: > >>>> https://lore.kernel.org/u-boot/[email protected]/ > >>>> --- > >>>> tools/efivar.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- > >>>> 1 file changed, 49 insertions(+), 1 deletion(-) > >>>> > >>>> diff --git a/tools/efivar.py b/tools/efivar.py > >>>> index 67729fa8505..d248cd868ba 100755 > >>>> --- a/tools/efivar.py > >>>> +++ b/tools/efivar.py > >>>> @@ -79,6 +79,50 @@ class EfiVariable: > >>>> def calc_crc32(buf): > >>>> return zlib.crc32(buf) & 0xffffffff > >>>> > >>>> +def strip_auth_descriptor(data, attrs): > >>>> + """ > >>>> + Strip the EFI auth descriptor from authenticated variable data. > >>>> + > >>>> + This is used during efivar.py-based pre-seeding of ubootefi.var to > >>>> + match U-Boot SetVariable() behavior, where the authentication header > >>>> + is consumed during validation and only the payload is stored. > >>>> + > >>>> + For variables with > >>>> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS: > >>>> + - Input format: [EFI_VARIABLE_AUTHENTICATION_2 | payload] > >>>> + - Stored format: [payload only] > >>>> + > >>>> + Auth header size calculation (aligned with U-Boot > >>>> efi_variable_authenticate()): > >>>> + auth_size = sizeof(EFI_TIME) + WIN_CERTIFICATE.dwLength > >>>> + > >>>> + Only the payload portion is retained after stripping the header. > >>>> + """ > >>>> + if not (attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS): > >>>> + return data > >>>> + if not data: > >>>> + return data > >>>> + > >>>> + efi = EfiStruct() > >>>> + if len(data) < efi.var_time_size: > >>>> + return data > >>>> + > >>>> + offset = efi.var_time_size > >>>> + if len(data) < offset + efi.var_win_cert_size: > >>>> + return data > >>>> + > >>>> + try: > >>>> + cert_hdr = struct.unpack_from(efi.var_win_cert_fmt, data, > >>>> offset) > >>>> + dwLength = cert_hdr[0] > >>>> + except struct.error: > >>>> + return data > >>>> + > >>>> + auth_size = efi.var_time_size + dwLength > >>>> + if auth_size <= 0 or auth_size > len(data): > >>>> + return data > >>>> + > >>>> + if len(data) <= auth_size: > >>>> + return b'' > >>>> + return data[auth_size:] > >>>> + > >>>> class EfiVariableStore: > >>>> def __init__(self, infile): > >>>> self.infile = infile > >>>> @@ -172,8 +216,12 @@ class EfiVariableStore: > >>>> break > >>>> offs = loffs > >>>> > >>>> + if data and (attrs & > >>>> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS): > >>>> + data = strip_auth_descriptor(data, attrs) > >>>> + size = len(data) if data else 0 > >>>> + > >>>> tsec = int(time.time()) if attrs & > >>>> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0 > >>>> - nd = name.encode('utf_16_le') + b"\x00\x00" + data > >>>> + nd = name.encode('utf_16_le') + b"\x00\x00" + (data if data > >>>> else b'') > >>>> # U-Boot variable format requires the name + data blob to be > >>>> 8-byte aligned > >>>> pad = ((len(nd) + 7) & ~7) - len(nd) > >>>> nd += bytes([0] * pad) > >>>> -- > >>>> 2.34.1 > >>>>
